Hackers were developing libraries to repackage the malware into a more potent form.
The WireLurker virus is likely to undergo continued development, despite the arrests of three men in China, according to the security company Palo Alto.
iPhones could be infected by the malware through a USB cable, even if they had not been configured to install third-party apps (or "jailbroken"), though Apple claims to have since shut down the offending software.
Brian Tokuyoshi, senior product marketing manager at Palo Alto, said: "What our researchers saw was the creation of different modules and libraries, so it could be repackaged and reused in different ways.
"The hackers weren’t just building an app out of this, they were developing a library infrastructure to develop more capabilities with it."
This month, Palo Alto discovered 467 WireLurker infected Mac OS X apps on the Chinese third-party app store Maiyadi, having been downloaded an estimated 356,000 times. A less common Windows variant has been downloaded 65,000 times since March.
Beijing police reported that they had apprehended three Chinese men with the surnames Lee, Wang and Chen in connection with the virus, but failed to give many more details.
Tokuyoshi added that although the virus could target phones that were not jailbroken, it was more potent on devices that had been configured to install third-party apps.